CVE-2026-20070 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Cisco Secure Firewall Adaptive Security Appliance Software

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.0%

top 93.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Secure Firewall Adaptive Security Appliance Software Cisco Secure Firewall Threat Defense Software

Timeline

PublishedMar 4

Description

A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by persuading a user to follow a link t…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5cisco/cisco_secure_firewall_adaptive_security_appliance_software161 versions+160

▶CVEListV5cisco/cisco_secure_firewall_threat_defense_software75 versions+74

🔴Vulnerability Details

GHSA

GHSA-xwx2-g284-r7j9: A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat↗2026-03-04

▶

CVEList

Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Cross-Site Scripting Vulnerability↗2026-03-04

▶

📋Vendor Advisories

Cisco

Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Cross-Site Scripting Vulnerability↗2026-03-04

▶